Commit 0d2ece96 authored by Matija Obreza's avatar Matija Obreza
Browse files

Web API filter checks if baseUrl of referrer matches (startsWith)

parent d6e6dcbd
...@@ -16,6 +16,14 @@ ...@@ -16,6 +16,14 @@
package org.genesys2.server.servlet.filter; package org.genesys2.server.servlet.filter;
import java.io.IOException;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.genesys2.server.service.OAuth2ClientDetailsService; import org.genesys2.server.service.OAuth2ClientDetailsService;
import org.slf4j.Logger; import org.slf4j.Logger;
...@@ -25,13 +33,6 @@ import org.springframework.security.oauth2.provider.ClientDetails; ...@@ -25,13 +33,6 @@ import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component("webApiFilter") @Component("webApiFilter")
public class WebApiFilter extends OncePerRequestFilter { public class WebApiFilter extends OncePerRequestFilter {
private static final Logger _logger = LoggerFactory.getLogger(WebApiFilter.class); private static final Logger _logger = LoggerFactory.getLogger(WebApiFilter.class);
...@@ -54,7 +55,8 @@ public class WebApiFilter extends OncePerRequestFilter { ...@@ -54,7 +55,8 @@ public class WebApiFilter extends OncePerRequestFilter {
if (StringUtils.isBlank(referrer)) { if (StringUtils.isBlank(referrer)) {
throw new Exception("Referrer not provided by client"); throw new Exception("Referrer not provided by client");
} }
if (!clientDetails.getRegisteredRedirectUri().contains(referrer)) {
if (! isRegisteredReferrer(referrer, clientDetails.getRegisteredRedirectUri())) {
throw new Exception("Referrer not registered with client " + referrer); throw new Exception("Referrer not registered with client " + referrer);
} }
...@@ -66,4 +68,13 @@ public class WebApiFilter extends OncePerRequestFilter { ...@@ -66,4 +68,13 @@ public class WebApiFilter extends OncePerRequestFilter {
} }
} }
private boolean isRegisteredReferrer(String referrer, Set<String> baseUrlSet) {
for (String baseUrl : baseUrlSet) {
if (referrer.startsWith(baseUrl)) {
return true;
}
}
return false;
}
} }
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment